On 11/28/10, Bill Landry wrote: > On 11/28/2010 11:32 AM, Steve Basford wrote: >> Hi All, >> >> Sanesecurity rsync mirrors are reporting constant pounding with sites >> requesting MSRBL signature databases. Sanesecurity *does not distribute >> these signature databases*. >> >> Please could you all check your script configurations and ensure that >> MSRBL signatures aren't downloaded from the Sanesecurity mirrors (ie. >> rsync.sanesecurity.net) and >> are in fact downloaded from *rsync://rsync.mirror.msrbl.com/msrbl/ >> >> *MSRBL signatures have been removed from most download scripts now, as >> the MSRBL signatures haven't been updated in over a year (last update: >> 2009/07/24). > > Thanks Steve! > > And to stress that this advice should not be ignored or taken lightly, > some (possibly all) of the rsync mirror sites are blacklisting sites > that constantly request MSRBL signature updates. There are currently > 368 sites that are being block by the rsync blacklist. Once these sites > remove the MSRBL requests from the download scripts and request > delisting here on the Sanesecurity users list, they will once again have > access to Sanesecurity signature updates. Until then, they will have no > access to any Sanesecurity signature updates. > > Please also note that Sanesecurity DOES NOT distribute SecuriteInfo > signature databases, so DO NOT request those from the Sanesecurity rsync > mirrors either, lest you also risk being added to the blacklist. For > example, this will potentially get you added to the blacklist: > > ========== > rsync: link_stat "honeynet.hdb" (in sanesecurity) failed: No such file > or directory > rsync: link_stat "honeynet.hdb.sig" (in sanesecurity) failed: No such > file or directory > rsync: link_stat "securiteinfo.hdb" (in sanesecurity) failed: No such > file or directory > rsync: link_stat "securiteinfo.hdb.sig" (in sanesecurity) failed: No > such file or directory > rsync: link_stat "vx.hdb" (in sanesecurity) failed: No such file or > directory > rsync: link_stat "vx.hdb.sig" (in sanesecurity) failed: No such file or > directory > ========== > > These are NOT Sanesecurity distribute signature databases, download > these signature database from the SecuriteInfo download site. > > I might also add that all script users should periodically check the > output of their download script for errors. We are also seeing requests > like the following: > > ========== > rsync: link_stat "#" (in sanesecurity)failed: No such file or directory > rsync: link_stat "#.sig" (in sanesecurity)failed: No such file or directory > rsync: link_stat ":" (in sanesecurity)failed: No such file or directory > rsync: link_stat ":.sig" (in sanesecurity)failed: No such file or directory > rsync: link_stat "MEDIUM" (in sanesecurity)failed: No such file or directory > rsync: link_stat "MEDIUM.sig" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "false-positive" (in sanesecurity)failed: No such file > or directory > rsync: link_stat "false-positive.sig" (in sanesecurity)failed: No such > file or directory > rsync: link_stat "rating" (in sanesecurity)failed: No such file or directory > rsync: link_stat "rating.sig" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "ONE" (in sanesecurity)failed: No such file or directory > rsync: link_stat "ONE.sig" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "CONTAINS" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "CONTAINS.sig" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "THE" (in sanesecurity)failed: No such file or directory > rsync: link_stat "THE.sig" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "COMPLETE" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "COMPLETE.sig" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "URL" (in sanesecurity)failed: No such file or directory > rsync: link_stat "URL.sig" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "PATH" (in sanesecurity)failed: No such file or directory > rsync: link_stat "PATH.sig" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "(MEDIUM" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "(MEDIUM.sig" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "RISK)," (in sanesecurity)failed: No such file or directory > rsync: link_stat "RISK),.sig" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "AND" (in sanesecurity)failed: No such file or directory > rsync: link_stat "AND.sig" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "THE" (in sanesecurity)failed: No such file or directory > rsync: link_stat "THE.sig" (in sanesecurity)failed: No such file or > directory > rsync: link_stat "OTHER" (in sanesecurity)failed: No such file or directory > rsync: link_stat "OTHER.sig" (in sanesecurity)failed: No such file or > directory > ========== > > Caution, when using the clamav-unofficial-sigs download script, DO NOT > PLACE ANYTHING BETWEEN THE QUOTE "" MARKS IN THE CONFIG FILE 'ss_dbs' > DOWNLOAD SECTION EXCEPT VALID AND CORRECTLY SPELLED SANESECURITY > SIGNATURE DATABASE NAMES. For example, as shown in the default config > entry for Sanesecurity signature downloads: > > ss_dbs=" > junk.ndb > jurlbl.ndb > phish.ndb > rogue.hdb > sanesecurity.ftm > scam.ndb > spamimg.hdb > winnow_malware.hdb > winnow_malware_links.ndb > " > However, DO NOT do something like this: > > ss_dbs=" > junk.ndb > jurlbl.ndb > # phish.ndb > rogue.hdb > sanesecurity.ftm > # scam.ndb > spamimg.hdb > winnow_malware.hdb > winnow_malware_links.ndb > " > > Instead, if, for example, you do not want to use the phish and scam > databases, remove them from between the quotes, as follows: > > ss_dbs=" > junk.ndb > jurlbl.ndb > rogue.hdb > sanesecurity.ftm > spamimg.hdb > winnow_malware.hdb > winnow_malware_links.ndb > " > > As commenting them within the quoted section will only cause you > problems and annoy the Sanesecurity rsync mirror site operators and > possibly get your site added to the blacklist. > > Ignore this advice at your own peril, and risk being blacklisted from > any and all Sanesecurity signature database updates. > > Regards, > > Bill > In clamav-unofficial-sigs.conf it does state something like: # Add or remove database file names between quote marks as needed. To # disable usage of any of the Sanesecurity distributed database files # shown, remove the database file name from the quoted section below. # To disable usage of all Sanesecurity distributed databases, comment # all of the quoted lines below. But it may not hurt to add "Do NOT comment out individual databases!" -- Gary V